Tsundere Botnet
MITREOther
Unknown
Unknown
[Tsundere Botnet](https://attack.mitre.org/software/S9034) is a botnet first reported in mid-2025 that is delivered via MSI installer or PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. [Tsundere Botnet](https://attack.mitre.org/software/S9034) is attributed to a likely Russian-speaking threat actor.
A variant named DinDoor has been linked to [MuddyWater](https://attack.mitre.org/groups/G0069) operations and uses the Deno runtime for execution rather than Node.js. (Citation: Checkpoint_MOISCyberCrime_Mar2026)(Citation: SOCRadar_MuddyWaterDindoor_Mar2026)(Citation: CAL_MuddyWater_Mar2026)(Citation: SecureListUbiedo_Tsundere_Nov2025)
Tecniche Associate (17)
| ID | ATT&CK | Tattiche |
|---|---|---|
| T1027.010 | Command Obfuscation | - |
| T1027.013 | Encrypted/Encoded File | - |
| T1036.005 | Match Legitimate Resource Name or Location | - |
| T1059.001 | PowerShell | - |
| T1059.007 | JavaScript | - |
| T1071.001 | Web Protocols | - |
| T1082 | System Information Discovery | - |
| T1102.001 | Dead Drop Resolver | - |
| T1105 | Ingress Tool Transfer | - |
| T1140 | Deobfuscate/Decode Files or Information | - |
| T1195.001 | Compromise Software Dependencies and Development Tools | - |
| T1218.007 | Msiexec | - |
| T1480 | Execution Guardrails | - |
| T1547.001 | Registry Run Keys / Startup Folder | - |
| T1564.003 | Hidden Window | - |
Alias (25)
Usato da Attori (1)
Metadata
| ID: | 164139 |
| Created: | 28/04/2026 16:00 |
| Updated: | 10/05/2026 16:00 |